Security Policy

Enterprise-Grade Security Controls to Protect Your Data & Infrastructure

Xotiv Technologies maintains a robust security posture built on global standards including SOC 2, ISO 27001, GDPR, HIPAA, and industry best practices.

Our Security Policy outlines the administrative, technical, and physical safeguards we implement to protect systems, data, intellectual property, and customer environments.

With strong governance and continuous monitoring, we ensure integrity, confidentiality, and availability across all service operations.

Security Policy

Xotiv Technologies Pvt Ltd

Registered Address: A-152, Sector-63, Noida, Uttar Pradesh – 201301, India

Legal Jurisdiction: India – Private Limited

Security Contact: privacy@xotiv.com

Introduction

Xotiv Technologies Pvt Ltd (“Xotiv,” “we,” “our,” or “the Company”) is committed to maintaining the highest standards of information security, data protection, and operational resilience. As a global technology and consulting partner handling sensitive customer information, we follow enterprise-grade security practices aligned with internationally recognized frameworks, including ISO 27001, SOC 2 Type II, GDPR, HIPAA, and industry best practices.

This Security Policy outlines the administrative, technical, and physical safeguards that govern how Xotiv secures systems, software, infrastructures, client data, and intellectual property. This policy applies to all employees, contractors, consultants, and authorized third parties who access or process Xotiv-managed systems or customer data.

Security Governance & Compliance

Governance Framework

Xotiv maintains a centralized security governance model led by senior leadership, supported by dedicated information security functions responsible for:

  • Establishing and maintaining security standards
  • Continuous monitoring of risks and threats
  • Ensuring compliance with global regulations
  • Conducting internal audits and corrective action programs

Compliance Standards

Xotiv aligns with the following controls and regulatory frameworks:

  • ISO/IEC 27001:2022 – Information Security Management System
  • SOC 2 Trust Services Criteria – Security, Availability, Confidentiality
  • GDPR (EU 2016/679) – applicable to data subjects in the EU
  • HIPAA Security Rule – for healthcare-related engagements
  • Indian IT Act 2000 and amendments
  • Client-specific regulatory requirements, including PCI-DSS or FINRA, when applicable

We conduct periodic external assessments and annual internal audits.

Information Security Objectives

Xotiv’s security objectives include:

  • Protecting client and internal data from unauthorized access
  • Ensuring confidentiality, integrity, and availability of systems
  • Maintaining resilient operations with minimal disruption
  • Implementing proactive threat identification and mitigation
  • Ensuring secure engineering and DevSecOps practices
  • Maintaining documented disaster recovery and business continuity

Asset Management

Information Asset Inventory

All information assets—hardware, software, cloud resources, data sets, APIs, and applications—are classified and documented based on business criticality.

Data Classification Categories

  • Confidential Data (client data, source code, financial data, IP)
  • Internal Data (operational documents, internal systems)
  • Public Data (marketing material, public documentation)

Ownership & Responsibilities

Asset owners are responsible for defining access controls, retention requirements, and classification levels.

Access Control

Authentication Standards

  • Multi-Factor Authentication (MFA) is mandatory for all administrative and cloud platform access.
  • Identity federation (SSO) is used for internal tools whenever possible.

Authorization Protocols

  • Principle of Least Privilege (PoLP)
  • Role-Based Access Control (RBAC)
  • Mandatory access reviews every 90 days

Remote Access Security

Remote access uses encrypted VPN connections, device compliance checks, and zero-trust authentication.

Network & Infrastructure Security

Zero Trust Architecture

Xotiv adheres to a Zero Trust model ensuring continuous validation of user identity, device posture, and network behavior.

Network Segmentation

  • Segregation of development, staging, production, and testing environments
  • Restricted access between internal VLANs
  • Dedicated zones for security-sensitive workloads

Perimeter Defense

  • Next-generation firewalls
  • Intrusion Detection and Prevention Systems (IDS/IPS)
  • Global DDoS mitigation

Cloud Security Controls

All cloud deployments follow best practices for:

  • IAM hardening
  • Key rotation
  • API security
  • VPC isolation
  • Cloud-native security scanning

Supported platforms include AWS, Azure, and GCP.

Application Security & Secure Development

Secure SDLC

Xotiv integrates DevSecOps principles across the entire development lifecycle:

  • Secure coding standards (OWASP Top 10, SANS CWE)
  • Automated code scanning and SAST/DAST tools
  • Dependency and supply-chain vulnerability checks
  • Peer code reviews and static/dynamic security tests

API Security

  • Enforced authentication (OAuth 2.0, JWT, API Keys)
  • Threat detection for API abuse
  • Rate limiting and gateway protections

Change Management

Changes to systems or applications follow:

  • Risk assessment
  • Approval workflow
  • Version control
  • Deployment traceability

Data Protection & Encryption

Encryption Standards

  • Data at Rest: AES-256 or higher
  • Data in Transit: TLS 1.2+
  • Key Management: Cloud-native KMS or HSM-based secure storage

Data Loss Prevention (DLP)

Xotiv maintains multi-layer DLP solutions covering:

  • Email content inspection
  • Endpoint restrictions
  • Secure USB policies
  • Cloud DLP for sensitive data monitoring

Data Retention

Data is retained strictly on a need-to-use basis and deleted securely using NIST standards.

Physical & Environmental Security

Office Security Controls

  • Restricted biometric access
  • 24×7 CCTV monitoring
  • Visitor management logs
  • Secure server rooms with limited access

Employee Device Security

  • Enforced device encryption
  • Mobile Device Management (MDM)
  • Mandatory endpoint protection (EDR)

Third-Party & Vendor Security

Xotiv evaluates all vendors who process or access client data through:

  • Security questionnaires
  • Contractual data protection clauses
  • Compliance verification (SOC 2, ISO, GDPR)
  • Ongoing monitoring and periodic re-assessment

Incident Response & Monitoring

Incident Response Framework

Modeled on NIST SP 800-61, Xotiv’s IR framework includes:

  1. Preparation
  2. Detection & Analysis
  3. Containment
  4. Eradication
  5. Recovery
  6. Post-incident review

Continuous Monitoring

  • SIEM-based log aggregation
  • Real-time threat detection
  • Anomaly detection and behavior analytics
  • 24×7 security alerting

Breach Notification

In the event of a data breach affecting regulated data:

  • GDPR: Notification within 72 hours
  • HIPAA: As required by the Breach Notification Rule
  • Contractual SLAs with clients take precedence

Business Continuity & Disaster Recovery

Resilience Strategy

Xotiv maintains BC/DR plans ensuring:

  • Redundant cloud infrastructure
  • Automated backups and recovery testing
  • RPO/RTO targets agreed with clients in SLA
  • Crisis management and failover strategies

Backup Standards

  • Encrypted backups
  • Scheduled backups (hourly/daily/weekly depending on systems)
  • Periodic restore testing

Employee Security Practices

Background Verification

All employees undergo:

  • Identity verification
  • Employment history checks
  • Criminal background checks (where legally permitted)

Security Awareness Training

Mandatory annual and quarterly training on:

  • Data privacy
  • Secure coding
  • Threat awareness (phishing, ransomware)
  • Policy compliance

Confidentiality Agreements

Every employee and contractor signs:

  • NDA
  • Acceptable use policy
  • Security compliance agreement

HIPAA Compliance (When Applicable)

For healthcare clients, Xotiv:

  • Implements HIPAA-compliant access controls
  • Maintains audit logs of PHI access
  • Signs Business Associate Agreements (BAA)
  • Enforces encryption and minimum necessary use

GDPR Compliance

Key GDPR-aligned measures include:

  • Data minimization standards
  • Right to access, portability, correction, and deletion
  • Lawful basis for processing
  • Data Processing Addendums (DPAs)
  • Secure international data transfers (SCCs)
  • Appointed Communications Contact (privacy@xotiv.com)

Policy Review & Amendments

This policy is reviewed annually or upon significant organizational, technical, or regulatory changes. Updated versions are published on the official website.

Contact Information

For security concerns, breach notifications, or reporting vulnerabilities:

Email: privacy@xotiv.com

Address: A-152, Sector-63, Noida, U.P – 201301, India

Tarun KumarTarun Kumar
Talk to our experts

Let our experts guide you to make informed
decisions and enhance your experience.

Schedule a call flight icon
FlagIndia Office
Map A, 152, Sector 63 Rd, Industrial Area, Sector 63, Noida, Uttar Pradesh 201309
Flag US Office
Map 17350 State Hwy 249, Ste 220 #28637, Houston, Texas 77064 US
Flag Canada Office
Map 1068 Schooling Drive, Oshawa, Ontario, CA - L1K0N9
Contact Us Today
Ready To Transform
Your Bussiness With AI?
Let's build something intelligent together

    Scroll to Top